ffuf
Last updated
Last updated
Basics :
For example, we can append the extension after index. head /usr/share/seclists/Discovery/Web-Content/web-extensions.txt .asp .aspx .bat .c .cfm .cgi .css .com .dll .exe
[+]Directory names are not always dependent on the type of environment you are enumerating and is often a good starting point before attempting to fuzz for files. If we wanted to fuzz directories we only need to provide a wordlist.
Sometimes it might be beneficial to see what requests the server doesn't handle by matching for HTTP 500 Internal Server Error response codes (-mc 500). Finding irregularities in behavior could help better understand how the web app works.
There are other filters and matchers. For example, you could encounter entries with a 200 status code with a response size of zero. eg. functions.php or inc/myfile.php.
Unless we have a LFI (local file inclusion) this kind of files aren't interesting, so we can use -fs 0 (filter size). Here are all filters and matchers:
We often see there are false positives with files beginning with a dot (eg. .htgroups, .php, etc.). They throw a 403 Forbidden error, however those files don't actually exist. It's tempting to use -fc 403 but this could hide valuable files we don't have access to yet. So instead we can use a regexp to match all files beginning with a dot.
ffuf -u http://10.10.210.77/FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-files-lowercase.txt -fr '/\..*'
For this task, we'll be looking at parameter fuzzing. This is the base URL we'll be fuzzing: http://MACHINE_IP/sqli-labs/Less-1/.
What would you do when you find a page or API endpoint but don't know which parameters are accepted? You fuzz!
Discovering a vulnerable parameter could lead to file inclusion, path disclosure, XSS, SQL injection, or even command injection. Since ffuf allows you to put the keyword anywhere we can use it to fuzz for parameters.
Now that we found a parameter accepting integer values we'll start fuzzing values.
We can also use ffuf for wordlist-based brute-force attacks, for example, trying passwords on an authentication page.
Here we have to use the POST method (specified with -X) and to give the POST data (with -d) where we include the FUZZ keyword in place of the password.
We also have to specify a custom header -H 'Content-Type: application/x-www-form-urlencoded' because ffuf doesn't set this content-type header automatically as curl does.
ffuf may not be as efficient as specialized tools when it comes to subdomain enumeration but it's possible to do.
You could compare the results obtained with direct subdomain enumeration and with vhost enumeration:
For example, it is possible that you can't find a sub-domain with direct subdomain enumeration (1st command) but that you can find it with vhost enumeration (2nd command).
Vhost enumeration technique shouldn't be discounted as it may lead to discovering content that wasn't meant to be accessed externally.
It's also possible to send only matches to your proxy for replaying:
This may be useful if you don't need all the traffic to traverse an upstream proxy and want to minimize resource usage or to avoid polluting your proxy history.
As you start to use ffuf more, some options will prove to be very useful depending on your situation.-ic allows you to ignore comments in wordlists that such as headers, copyright notes, comments, etc:
We've only reviewed a small subset of the useful features and options ffuf has to offer for fuzzing. Use ffuf -h to discover the other options that might be useful for you and to answer the remaining questions in this task.
At this point, we could generate a wordlist and save a file containing integers. To cut out a step we can use -w - which tells ffuf to read a wordlist from . This will allow us to generate a list of integers with a command of our choice then pipe the output to ffuf. Below is a list of 5 different ways to generate numbers 0 - 255.
Some subdomains might not be resolvable by the DNS server you're using and are only resolvable from within the target's local network by their private DNS servers. So some virtual hosts (vhosts) may exist with private subdomains so the previous command doesn't find them. To try finding private subdomains we'll have to use the Host HTTP header as these requests might be accepted by the web server. Note: (vhosts) is the name used by Apache httpd but for Nginx the right term is .
Whether it's for or for using BurpSuite plugins you can send all the ffuf traffic through a web proxy (HTTP or SOCKS5).
